Xerox ColorQube 9201, Руководство системного администратора

Страница: 167 / 336

Security
Xerox ColorQube™ 9201/9202/9203
System Administrator Guide
159
IKE Phase 2 negotiates IP Secs System Administrator to set up the IP Sec tunnel.
1. In the IKE Phase 1 area:
a. For [Key Lifetime] enter length of time that this key will live, either in seconds, minutes or
hours.
b. Select required option from the [DH Group] drop-down menu, choose one of following:
• DH Group 2 - which provides a 1024 bit Modular Exponential (MODP) keying strength.
• DH Group 14 , which provides a 2048 bit MODP keying strength. Diffie-Hellman (DH) is a
public-key cryptography scheme that allows two parties to establish a shared secret over
an insecure communications channel. It is also used within IKE to establish session keys.
c. For Hash - Encryption , check the required checkboxes:
• SHA1 (Secure Hash Algorithm 1) and MD5 (Message Digest 5) are one-way hashing
algorithms used to authenticate packet data. Both produce a 128-bit hash. The SHA1
algorithm is generally considered stronger but slower than MD5. Select MD5 for better
encryption speed, and SHA1 for better security.
• 3DES (Triple-Data Encryption Standard) is a variation on DES that uses a 168-bit key. As
a result, 3DES is more secure than DES. It also requires more processing power, resulting
in increased latency and decreased throughput.
• AES (Advanced Encryption Standard) is a more secure method compared to 3DES.
2. In the IKE Phase 2 area:
a. Select from the [IPSec Mode] drop-down menu one of the following:
• Transport Mode : This provides a secure connection between two endpoints as it
encapsulates the IP payload, while Tunnel Mode encapsulates the entire IP packet.
• Tunnel Mode : This provides a virtual ‘secure hop’ between two gateways. It is used to
form a traditional VPN, where the tunnel generally creates a secure tunnel across an
untrusted Internet.
b. If you select [Tunnel Mode] , then select either [Disabled] , [IPv4 Address] or [IPv6 Address] .
c. If you select IPv4 Address or IPv6 Address , enter IP Address details.
d. From the [IPsec Security] drop-down menu, select either, Both , ESP or AH .
AH (Authentication Header) and ESP (Encapsulating Security Payload) are the two main
wire-level protocols used by IPsec, and they authenticate (AH) and encrypt and authenticate
(ESP) the data flowing over that connection. They can be used independently or together.
e. For [Key Lifetime] enter length of time that this key will be valid for, either in seconds,
minutes or hours.
f. Select the preferred option from the [Perfect Forward Secrecy] drop-down menu. Default is
‘ None ’.
g. Check the required checkboxes for [Hash] and [Encryption] .
Hash refers to the authentication mode, which calculates an Integrity Check Value (ICV) over
the packet's contents. This is built on top of a cryptographic hash (MD5 or SHA1).
Encryption uses a secret key to encrypt the data before transmission. This hides the contents
of the packet from eavesdroppers. Algorithm choices are AES and 3DES.
Note: Encryption will not be shown if [IPsec Security] is set to AH .
3. Click on the [Save] button to return to the IP Sec - Action page.